Re: [DNG] why is polkit needed? dropin replacement
On Mon, 24 Feb 2020 13:46:46 +0100 Didier Kryn wrote: > Le 24/02/2020 à 10:44, aitor a écrit : > > Hi Didier, > > > > En 24 de febrero de 2020 10:01:33 Didier Kryn > > escribió: > > > >> Le 24/02/2020 à 01:16, Aitor a écrit : > >>> > >>> Hi Tito, > >>> > >>> On 23/2/20 17:02, Tito via Dng wrote: > Why use 2 binaries rather than one, more programs, more code, > more communication in between them equals to more attack surface. > I would stay with just one suid binary, more so if you want to > go the su-only route. > >>> I'll answer to this question in more detail: the requeriment of > >>> suid privilegies implies an additional (non GUI) binary due to > >>> the fact that the usage of any GTK suid binary is impossible. > >>> Read here: > >>> > >>> http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html > >> Does it mean that synaptic works that way with droping > >> priviledges in the GUI? > >> > >> Didier > > > > Synaptic is run as root via sudo/su. There are no suid privilegies > > Hi Aitor. > > Sure, but it is running a GUI with root priviledge. I thought > this was the danger and I understood this was forbidden in GTK+. > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng It's not a big deal as long as it's not some crazy bloated mess like a web browser or something. -- _ / This is the story of the bee Whose sex \ | is very hard to see | | | | You cannot tell the he from the she But | | she can tell, and so can he | | | | The little bee is never still She has | | no time to take the pill| | | | And that is why, in times like these| \ There are so many sons of bees. / - \ \ /\ /\ //\\_//\\ \_ _// / / * * \/^^^] \_\O/_/[ ] / \_[ / \ \_ / / [ [ / \/ _/ _[ [ \ /_/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Le 24/02/2020 à 10:44, aitor a écrit : Hi Didier, En 24 de febrero de 2020 10:01:33 Didier Kryn escribió: Le 24/02/2020 à 01:16, Aitor a écrit : Hi Tito, On 23/2/20 17:02, Tito via Dng wrote: Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. I'll answer to this question in more detail: the requeriment of suid privilegies implies an additional (non GUI) binary due to the fact that the usage of any GTK suid binary is impossible. Read here: http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html Does it mean that synaptic works that way with droping priviledges in the GUI? Didier Synaptic is run as root via sudo/su. There are no suid privilegies Hi Aitor. Sure, but it is running a GUI with root priviledge. I thought this was the danger and I understood this was forbidden in GTK+. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi Didier, En 24 de febrero de 2020 10:01:33 Didier Kryn escribió: Le 24/02/2020 à 01:16, Aitor a écrit : Hi Tito, On 23/2/20 17:02, Tito via Dng wrote: Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. I'll answer to this question in more detail: the requeriment of suid privilegies implies an additional (non GUI) binary due to the fact that the usage of any GTK suid binary is impossible. Read here: http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html Does it mean that synaptic works that way with droping priviledges in the GUI? Didier Synaptic is run as root via sudo/su. There are no suid privilegies. Cheers, Aitor. Enviado con AquaMail para Android https://www.mobisystems.com/aqua-mail ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Le 24/02/2020 à 01:16, Aitor a écrit : Hi Tito, On 23/2/20 17:02, Tito via Dng wrote: Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. I'll answer to this question in more detail: the requeriment of suid privilegies implies an additional (non GUI) binary due to the fact that the usage of any GTK suid binary is impossible. Read here: http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html Does it mean that synaptic works that way with droping priviledges in the GUI? Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Le 23/02/2020 à 16:26, Aitor a écrit : On 23/2/20 16:22, Aitor wrote: - To have a look at the code of ssh-askpass, suggested by Didier Krin, whose dialog frame is useful only for X11 and not for wayland. Kryn :) ssh-askpass is just an example. There is certainly something usable in wayland. sudo accepts any helper. Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 2020-02-23 22:10, marc wrote: > If I understand you correctly, you propose a simple gtk > program that is setuid (so that it can read /etc/shadow, and > grant root privileges). The problem is that there is no such > thing as a simple gtk program. This is not comment limited to > gtk programs - most graphical toolkits and libraries present > a pretty large attack surface - they contain large protocol > interpreters and font rendering engines, flaws in which could > then be exploited to give root access without any password > whatsoever. The author of XScreenSaver, Jamie Zawinski, has some FAQ [1] entries and a separate page [2] explaining why he never used GTK or other graphical toolkits for XScreenSaver development. Perhaps some of those ideas may be relevant to this gkexec project? [1] https://www.jwz.org/xscreensaver/faq.html#toolkits [2] https://www.jwz.org/xscreensaver/toolkits.html —Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi, On 23/2/20 23:10, marc wrote: You should never send an unencrypted password over a shell or pipe. So in the case of the former (using the shell, via echo or an environment variable) you are correct. Those show up in process listings... I am not so sure about the second part, the bit about not passing confidential information down a pipe. I am not aware of a third party being able to see the content of a pipe. If you are worried about the invoking user seeing the password, bear in mind that on sane distributions a normal user can strace the xterm in which one invokes su or sudo. This is not a recommendation to disable strace, it is a strong recommendation to run your webbrowser under a different uid - actually I am surprised that distributions dont have a wrapper which runs a browser as a different uid but with a shared gid... i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 buttons (cancel, ok) that way it will be the gtk backend to care about X11 or wayland (i suppose...): ... Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. If I understand you correctly, you propose a simple gtk program that is setuid (so that it can read /etc/shadow, and grant root privileges). The problem is that there is no such thing as a simple gtk program. This is not comment limited to gtk programs - most graphical toolkits and libraries present a pretty large attack surface - they contain large protocol interpreters and font rendering engines, flaws in which could then be exploited to give root access without any password whatsoever. So invoking su or sudo via a pipe is probably the way to go after all. Do note that sudo (or su) might not accept input from a plain pipe - you might have to allocate a pseudotty via /dev/pts/ptmx, then fork, exec su or sudo in the child and in the parent write the password down the filedescriptor... regards marc Thanks for your suggestions, Mark. My first draft is a replacement for ssh-askpass. Here you are the sources: gnuinos.org/gkexec/gkexec.tar.bz2 The usage is similar to ssh-askpass, that is: $ SUDO_ASKPASS=./gkexec sudo -A synaptic I'm aware about several system variables playing a role in this issue, and i'm lookint at the code of lxqt-sudo. See the README file. Cheers, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi Tito, On 23/2/20 17:02, Tito via Dng wrote: Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. I'll answer to this question in more detail: the requeriment of suid privilegies implies an additional (non GUI) binary due to the fact that the usage of any GTK suid binary is impossible. Read here: http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html Cheers, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 2/23/20 11:10 PM, marc wrote: You should never send an unencrypted password over a shell or pipe. So in the case of the former (using the shell, via echo or an environment variable) you are correct. Those show up in process listings... I am not so sure about the second part, the bit about not passing confidential information down a pipe. I am not aware of a third party being able to see the content of a pipe. If you are worried about the invoking user seeing the password, bear in mind that on sane distributions a normal user can strace the xterm in which one invokes su or sudo. This is not a recommendation to disable strace, it is a strong recommendation to run your webbrowser under a different uid - actually I am surprised that distributions dont have a wrapper which runs a browser as a different uid but with a shared gid... Hi, I intended | as a pipe, so doing echo something |. i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 buttons (cancel, ok) that way it will be the gtk backend to care about X11 or wayland (i suppose...): ... Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. If I understand you correctly, you propose a simple gtk program that is setuid (so that it can read /etc/shadow, and grant root privileges). The problem is that there is no such thing as a simple gtk program. This is not comment limited to gtk programs - most graphical toolkits and libraries present a pretty large attack surface - they contain large protocol interpreters and font rendering engines, flaws in which could then be exploited to give root access without any password whatsoever. Yes, but after having written part of it, it looked to easy to be true and I started wondering why nobody did it that way already and so I figured out the reason myself. I fully agree. So invoking su or sudo via a pipe is probably the way to go after all. Do note that sudo (or su) might not accept input from a plain pipe - you might have to allocate a pseudotty via /dev/pts/ptmx, then fork, exec su or sudo in the child and in the parent write the password down the filedescriptor... regards marc Ciao, Tito ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
> >>You should never send an unencrypted password over a shell or pipe. So in the case of the former (using the shell, via echo or an environment variable) you are correct. Those show up in process listings... I am not so sure about the second part, the bit about not passing confidential information down a pipe. I am not aware of a third party being able to see the content of a pipe. If you are worried about the invoking user seeing the password, bear in mind that on sane distributions a normal user can strace the xterm in which one invokes su or sudo. This is not a recommendation to disable strace, it is a strong recommendation to run your webbrowser under a different uid - actually I am surprised that distributions dont have a wrapper which runs a browser as a different uid but with a shared gid... > i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 > buttons (cancel, ok) > that way it will be the gtk backend to care about X11 or wayland (i > suppose...): ... > Why use 2 binaries rather than one, more programs, more code, more > communication in between them equals to more attack surface. > I would stay with just one suid binary, more so if you want to go the su-only > route. If I understand you correctly, you propose a simple gtk program that is setuid (so that it can read /etc/shadow, and grant root privileges). The problem is that there is no such thing as a simple gtk program. This is not comment limited to gtk programs - most graphical toolkits and libraries present a pretty large attack surface - they contain large protocol interpreters and font rendering engines, flaws in which could then be exploited to give root access without any password whatsoever. So invoking su or sudo via a pipe is probably the way to go after all. Do note that sudo (or su) might not accept input from a plain pipe - you might have to allocate a pseudotty via /dev/pts/ptmx, then fork, exec su or sudo in the child and in the parent write the password down the filedescriptor... regards marc ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi again Tito, On 23/2/20 17:02, Tito via Dng wrote: On 2/23/20 4:22 PM, Aitor wrote: Hi Tito, On 23/2/20 14:15, Tito via Dng wrote: On 2/23/20 1:54 PM, Aitor wrote: Hi, On 23/2/20 13:17, Aitor wrote: The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards. As simple as that: system( "echo | sudo -S "); I tested my first draft and it works. Do it simple, isn't it? Aitor. Hi, this looks dangerous, isn't the password readable unencrypted in e.g. /proc? You should never send an unencrypted password over a shell or pipe. Usually the password as soon as it is inputted is encrypted with the correct cipher for the system and the buffer is zeroed, then the encrypted password is compared to what is in /etc/shadow or /etc/password or handled in the way is deemed fit. I suggest you to handle the passwords and the command and args to be run in your program This way: 1) password stays unencrypted for the shortest time 2) you have control and you can vet the env, program and args that are run. Hope this helps. Ciao, Tito Thanks for the info, i know... Some people ripped me to shreds in the IRC channel some years ago, when i started working on the backend of simple-netaid. This is only for testing the first part of the project. I have two ideas for the second part: - To have a look at the code of ssh-askpass, suggested by Didier Krin, whose dialog frame is useful only for X11 and not for wayland. Hi, i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 buttons (cancel, ok) that way it will be the gtk backend to care about X11 or wayland (i suppose...): "put into “password mode” using gtk_entry_set_visibility(). In this mode, entered text is displayed using a “invisible” character. By default, GTK+ picks the best invisible character that is available in the current font, but it can be changed with gtk_entry_set_invisible_char(). Since 2.16, GTK+ displays a warning when Caps Lock or input methods might interfere with entering text in a password entry. The warning can be turned off with the “caps-lock-warning” property." "Note that you probably want to set “input-purpose” to GTK_INPUT_PURPOSE_PASSWORD or GTK_INPUT_PURPOSE_PIN to inform input methods about the purpose of this entry, in addition to setting visibility to FALSE." On hitting Enter or the OK button this returns a gchar string (typdef of char) that could be fed to: encrypted = pw_encrypt(plaintext, /*salt:*/ pw_pass, 1); r = (strcmp(encrypted, pw_pass) == 0); free(encrypted); nuke_str(plaintext); return r; To see a good example take a look at: busybox/libbb/correct_password.c This is widely used code and most pitfalls are already handled. Thanks, i'll have a look at the code. In any case, something like the code below would be enough: setenv("SUDO_ASKPASS", password, 1); printf("%s\n", password); The password needs to be printed, otherwise it won't work. Then, sudo reads the value of the system variable via: askpass = getenv_unhooked("SUDO_ASKPASS"); and inmediately sudo uses the "unsetenv" fuction in ordeer to reset the value. This is exactly how ssh-askpass works. All that done, the application can be used in the same way suggested by Didier, replacing ssh-askpass by our new application. - To emulate keypress events in C code afterwards, according to the received password. Looks as overcomplex to me but I'm not a guru Yes, i think so. On the other hand, what do you think about the suid receiving the password through the socket, staying the file descriptor for the shortest time? I assume it encrypted. Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. After having taken a look at the sudo source code I think it is by far more complex than simple su, I personally would avoid it at all, but this could be added later after having got right the simpler su-only case. I will see if I'm able to cobble toghether a working example code just for the fun and to refresh my C coding skills. I started using two separate binaries due to the suid permissions. Bypassing it, then the use of two binaries has no sense. Just my 2 cents. Ciao, Tito Thanks a lot! Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 2/23/20 4:22 PM, Aitor wrote: Hi Tito, On 23/2/20 14:15, Tito via Dng wrote: On 2/23/20 1:54 PM, Aitor wrote: Hi, On 23/2/20 13:17, Aitor wrote: The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards. As simple as that: system( "echo | sudo -S "); I tested my first draft and it works. Do it simple, isn't it? Aitor. Hi, this looks dangerous, isn't the password readable unencrypted in e.g. /proc? You should never send an unencrypted password over a shell or pipe. Usually the password as soon as it is inputted is encrypted with the correct cipher for the system and the buffer is zeroed, then the encrypted password is compared to what is in /etc/shadow or /etc/password or handled in the way is deemed fit. I suggest you to handle the passwords and the command and args to be run in your program This way: 1) password stays unencrypted for the shortest time 2) you have control and you can vet the env, program and args that are run. Hope this helps. Ciao, Tito Thanks for the info, i know... Some people ripped me to shreds in the IRC channel some years ago, when i started working on the backend of simple-netaid. This is only for testing the first part of the project. I have two ideas for the second part: - To have a look at the code of ssh-askpass, suggested by Didier Krin, whose dialog frame is useful only for X11 and not for wayland. Hi, i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 buttons (cancel, ok) that way it will be the gtk backend to care about X11 or wayland (i suppose...): "put into “password mode” using gtk_entry_set_visibility(). In this mode, entered text is displayed using a “invisible” character. By default, GTK+ picks the best invisible character that is available in the current font, but it can be changed with gtk_entry_set_invisible_char(). Since 2.16, GTK+ displays a warning when Caps Lock or input methods might interfere with entering text in a password entry. The warning can be turned off with the “caps-lock-warning” property." "Note that you probably want to set “input-purpose” to GTK_INPUT_PURPOSE_PASSWORD or GTK_INPUT_PURPOSE_PIN to inform input methods about the purpose of this entry, in addition to setting visibility to FALSE." On hitting Enter or the OK button this returns a gchar string (typdef of char) that could be fed to: encrypted = pw_encrypt(plaintext, /*salt:*/ pw_pass, 1); r = (strcmp(encrypted, pw_pass) == 0); free(encrypted); nuke_str(plaintext); return r; To see a good example take a look at: busybox/libbb/correct_password.c This is widely used code and most pitfalls are already handled. - To emulate keypress events in C code afterwards, according to the received password. Looks as overcomplex to me but I'm not a guru On the other hand, what do you think about the suid receiving the password through the socket, staying the file descriptor for the shortest time? I assume it encrypted. Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface. I would stay with just one suid binary, more so if you want to go the su-only route. After having taken a look at the sudo source code I think it is by far more complex than simple su, I personally would avoid it at all, but this could be added later after having got right the simpler su-only case. I will see if I'm able to cobble toghether a working example code just for the fun and to refresh my C coding skills. Just my 2 cents. Ciao, Tito Thanks in advance, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 23/2/20 16:22, Aitor wrote: - To have a look at the code of ssh-askpass, suggested by Didier Krin, whose dialog frame is useful only for X11 and not for wayland. Kryn :) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi Tito, On 23/2/20 14:15, Tito via Dng wrote: On 2/23/20 1:54 PM, Aitor wrote: Hi, On 23/2/20 13:17, Aitor wrote: The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards. As simple as that: system( "echo | sudo -S "); I tested my first draft and it works. Do it simple, isn't it? Aitor. Hi, this looks dangerous, isn't the password readable unencrypted in e.g. /proc? You should never send an unencrypted password over a shell or pipe. Usually the password as soon as it is inputted is encrypted with the correct cipher for the system and the buffer is zeroed, then the encrypted password is compared to what is in /etc/shadow or /etc/password or handled in the way is deemed fit. I suggest you to handle the passwords and the command and args to be run in your program This way: 1) password stays unencrypted for the shortest time 2) you have control and you can vet the env, program and args that are run. Hope this helps. Ciao, Tito Thanks for the info, i know... Some people ripped me to shreds in the IRC channel some years ago, when i started working on the backend of simple-netaid. This is only for testing the first part of the project. I have two ideas for the second part: - To have a look at the code of ssh-askpass, suggested by Didier Krin, whose dialog frame is useful only for X11 and not for wayland. - To emulate keypress events in C code afterwards, according to the received password. On the other hand, what do you think about the suid receiving the password through the socket, staying the file descriptor for the shortest time? I assume it encrypted. Thanks in advance, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 2/23/20 1:54 PM, Aitor wrote: Hi, On 23/2/20 13:17, Aitor wrote: The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards. As simple as that: system( "echo | sudo -S "); I tested my first draft and it works. Do it simple, isn't it? Aitor. Hi, this looks dangerous, isn't the password readable unencrypted in e.g. /proc? You should never send an unencrypted password over a shell or pipe. Usually the password as soon as it is inputted is encrypted with the correct cipher for the system and the buffer is zeroed, then the encrypted password is compared to what is in /etc/shadow or /etc/password or handled in the way is deemed fit. I suggest you to handle the passwords and the command and args to be run in your program This way: 1) password stays unencrypted for the shortest time 2) you have control and you can vet the env, program and args that are run. Hope this helps. Ciao, Tito ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi, On 23/2/20 13:17, Aitor wrote: The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards. As simple as that: system( "echo | sudo -S "); I tested my first draft and it works. Do it simple, isn't it? Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi Tito, On 23/2/20 13:19, Tito via Dng wrote: Hi, please don't restrict it, make it a universally usable tool. Ok :) Why using a socket maybe KISS? For inspiration you can take a look at: https://git.busybox.net/busybox/tree/loginutils/su.c this is tested and widely used code. Thanks for the info. I'll give it a try. If you will use C as programming language and you any need help drop a line. Ciao, Tito BTW: it would be nice if this tool could be compiled with gtk2 or gtk3 this would allow more widespread adoption The first code (for testing purposes) will be taken from the frontend of simple-netaid -which is developed in gtkmm/C++-, but i can reverse it to Gtk/C over time. Cheers, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi, On 23/2/20 13:23, Aitor wrote: Hi Tom, On 23/2/20 13:21, tom wrote: What happens when a password isn't need, such as when a sudo policy is set? Are you referring to the sudo | su duality? Aitor. If so, the application might check the sudo permissions of the current user, reading the /etc/groups and /etc/sudoers files. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi Tom, On 23/2/20 13:21, tom wrote: What happens when a password isn't need, such as when a sudo policy is set? Are you referring to the sudo | su duality? Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On Sun, 23 Feb 2020 13:17:21 +0100 Aitor wrote: > Hi, > > On 23/2/20 12:34, Aitor wrote: > > > > Hi Steve, > > > > On 21/2/20 21:57, Steve Litt wrote: > >> Will it work even if I'm not using lxqt? Does it stand alone? > >> > >> SteveT > > I've just started developing a replacement for gksu in gtk2 > > following the same method used in simple-netaid, > > that is: a suid binary receiving the password through an unix > > socket, and the name of the application > > to be run as an argument in the command line. Since i'm not that > > expert on security stuff, maybe i'll > > restrict this tool only to a few graphical applications like > > synaptic, bleachbit, gparted, thunar, pcmanfm... > > Any suggestion for the name of this alternative? What about gkexec? > > > > Cheers, > > > > Aitor. > > > I rectify: > > The binary won't be suid, but rather it'll receive the root password > through the mentioned unix socket using internally (sudo | su) > afterwards. > > Aitor. > > What happens when a password isn't need, such as when a sudo policy is set? -- ___ / I smell like a wet reducing clinic on \ \ Columbus Day! / --- \ \ /\ /\ //\\_//\\ \_ _// / / * * \/^^^] \_\O/_/[ ] / \_[ / \ \_ / / [ [ / \/ _/ _[ [ \ /_/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 2/23/20 12:34 PM, Aitor wrote: Hi Steve, On 21/2/20 21:57, Steve Litt wrote: Will it work even if I'm not using lxqt? Does it stand alone? SteveT I've just started developing a replacement for gksu in gtk2 following the same method used in simple-netaid, that is: a suid binary receiving the password through an unix socket, and the name of the application to be run as an argument in the command line. Since i'm not that expert on security stuff, maybe i'll restrict this tool only to a few graphical applications like synaptic, bleachbit, gparted, thunar, pcmanfm... Any suggestion for the name of this alternative? What about gkexec? Cheers, Aitor. Hi, please don't restrict it, make it a universally usable tool. Why using a socket maybe KISS? For inspiration you can take a look at: https://git.busybox.net/busybox/tree/loginutils/su.c this is tested and widely used code. If you will use C as programming language and you any need help drop a line. Ciao, Tito BTW: it would be nice if this tool could be compiled with gtk2 or gtk3 this would allow more widespread adoption. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi, On 23/2/20 12:34, Aitor wrote: Hi Steve, On 21/2/20 21:57, Steve Litt wrote: Will it work even if I'm not using lxqt? Does it stand alone? SteveT I've just started developing a replacement for gksu in gtk2 following the same method used in simple-netaid, that is: a suid binary receiving the password through an unix socket, and the name of the application to be run as an argument in the command line. Since i'm not that expert on security stuff, maybe i'll restrict this tool only to a few graphical applications like synaptic, bleachbit, gparted, thunar, pcmanfm... Any suggestion for the name of this alternative? What about gkexec? Cheers, Aitor. I rectify: The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards. Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
Hi Steve, On 21/2/20 21:57, Steve Litt wrote: Will it work even if I'm not using lxqt? Does it stand alone? SteveT I've just started developing a replacement for gksu in gtk2 following the same method used in simple-netaid, that is: a suid binary receiving the password through an unix socket, and the name of the application to be run as an argument in the command line. Since i'm not that expert on security stuff, maybe i'll restrict this tool only to a few graphical applications like synaptic, bleachbit, gparted, thunar, pcmanfm... Any suggestion for the name of this alternative? What about gkexec? Cheers, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 2/21/20 10:56 PM, Florian Zieboll wrote: On Fri, 21 Feb 2020 15:57:42 -0500 Steve Litt wrote: On Wed, 19 Feb 2020 01:23:47 -0800 tom wrote: Just found a drop-in replacement for gksudo. It's called lxqt-sudo. https://github.com/lxqt/lxqt-sudo It works pretty well. Will it work even if I'm not using lxqt? Does it stand alone? Not "alone", but quite fine for a GUI - and compared to gksu in a very different league: $ apt show lxqt-sudo | grep Depends # beowulf Depends: libc6 (>= 2.14), liblxqt0 (>= 0.14.1~), libqt5core5a (>= 5.11.0~rc1), libqt5gui5 (>= 5.7.0), libqt5widgets5 (>= 5.0.2), libstdc++6 (>= 6) $ apt show gksu | grep Depends # jessie Depends: gconf-service, libatk1.0-0 (>= 1.12.4), libc6 (>= 2.4), libcairo2 (>= 1.2.4), libfontconfig1 (>= 2.11), libfreetype6 (>= 2.2.1), libgconf-2-4 (>= 3.2.5), libgdk-pixbuf2.0-0 (>= 2.22.0), libgksu2-0 (>= 2.0.8), libglib2.0-0 (>= 2.16.0), libgnome-keyring0 (>= 2.20.3), libgtk2.0-0 (>= 2.8.0), libpango-1.0-0 (>= 1.14.0), libpangocairo-1.0-0 (>= 1.14.0), libpangoft2-1.0-0 (>= 1.14.0), libstartup-notification0 (>= 0.2), sudo Conflicts: gnome-sudo (<= 0.3-1.1) libre Grüße, Florian Hi, I wonder if there is a way to make it intercept the polkit dbus calls and eventually ask for a password? Does somthing like: Replaces polkit exist in the debian packaging voodoo? Ciao, Tito ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On Wed, 19 Feb 2020 15:17:06 +0100 Tito via Dng wrote: > > > On 2/19/20 10:23 AM, tom wrote: > > On Wed, 19 Feb 2020 00:35:26 -0800 > > tom wrote: > > > >> Deprecated gksudo? Well thats pretty dumb. Any particular reason > >> Devuan doesn't just fish around for the old gksudo git repo and > >> continue that instead of dealing with this policykit mess of > >> complexity? You can allow users in your a group for example > >> 'installers' to run synaptic by editing sudo's config like so: > >> > >> %installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic > >> > >> This Policykit stuff just seems like completely unneeded and > >> unstable cruft like systemd or pulseaudio. > >> > >> Thank you for clarifying though. I'm going to see about getting it > >> working on Gentoo since I have more experience with ebuilds than I > >> do with Debian packaging currently. > >> > >> > >> > > > > Just found a drop-in replacement for gksudo. It's called lxqt-sudo. > > https://github.com/lxqt/lxqt-sudo > > It works pretty well. > > > Hi, > > this one is nice! but it solves only partially the problem > of eventually removing policykit because most packages > like for example synaptic or network-manager have a > dependency on polkit or on libpolkit-gobject-1. > Replacing pkexec could be easily done with a wrapper > calling lxqt-sudo, but I cannot imagine what > debian packaging voodoo would be needed to > remove polkit, but for sure a lot of work. > It is hard to weed out over-complexity once > it slipped in. > > Ciao, > Tito > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng If someone had some time they could patch synaptic to remove any pkexec stuff. But a quick and dirty hack would be to simply modify the XDG .desktop file and prepend lxsudo to the command line. Here is an example I did for Zenmap: https://0x0.st/iZpe.png [Desktop Entry] Name=Zenmap (as root) GenericName=GUI Port Scanner TryExec=/usr/share/zenmap/su-to-zenmap.sh Exec=lxsudo zenmap Terminal=false Icon=/usr/share/zenmap/pixmaps/zenmap.png Type=Application Categories=Network;System;Security; Comment=A cross-platform GUI for the Nmap Security Scanner. Keywords=network;scan;scanner;IP;security; Path= StartupNotify=false It should also be noted the Zenmap already came with a decent script to do this, but for my purposes this simple hack worked well enough. I didn't like the jarring visual discontinuity of xterm. I also would rather use sudo than su based tools since sudo can have finer grained polices set -- / Maternity pay? Now every Tom, Dick and \ | Harry will get pregnant. | || \ -- Malcolm Smith / \ \ /\ /\ //\\_//\\ \_ _// / / * * \/^^^] \_\O/_/[ ] / \_[ / \ \_ / / [ [ / \/ _/ _[ [ \ /_/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On Fri, 21 Feb 2020 15:57:42 -0500 Steve Litt wrote: > On Wed, 19 Feb 2020 01:23:47 -0800 > tom wrote: > > > > > Just found a drop-in replacement for gksudo. It's called lxqt-sudo. > > https://github.com/lxqt/lxqt-sudo > > It works pretty well. > > Will it work even if I'm not using lxqt? Does it stand alone? Not "alone", but quite fine for a GUI - and compared to gksu in a very different league: $ apt show lxqt-sudo | grep Depends # beowulf Depends: libc6 (>= 2.14), liblxqt0 (>= 0.14.1~), libqt5core5a (>= 5.11.0~rc1), libqt5gui5 (>= 5.7.0), libqt5widgets5 (>= 5.0.2), libstdc++6 (>= 6) $ apt show gksu | grep Depends # jessie Depends: gconf-service, libatk1.0-0 (>= 1.12.4), libc6 (>= 2.4), libcairo2 (>= 1.2.4), libfontconfig1 (>= 2.11), libfreetype6 (>= 2.2.1), libgconf-2-4 (>= 3.2.5), libgdk-pixbuf2.0-0 (>= 2.22.0), libgksu2-0 (>= 2.0.8), libglib2.0-0 (>= 2.16.0), libgnome-keyring0 (>= 2.20.3), libgtk2.0-0 (>= 2.8.0), libpango-1.0-0 (>= 1.14.0), libpangocairo-1.0-0 (>= 1.14.0), libpangoft2-1.0-0 (>= 1.14.0), libstartup-notification0 (>= 0.2), sudo Conflicts: gnome-sudo (<= 0.3-1.1) libre Grüße, Florian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On Wed, 19 Feb 2020 01:23:47 -0800 tom wrote: > On Wed, 19 Feb 2020 00:35:26 -0800 > tom wrote: > > > Deprecated gksudo? Well thats pretty dumb. Any particular reason > > Devuan doesn't just fish around for the old gksudo git repo and > > continue that instead of dealing with this policykit mess of > > complexity? You can allow users in your a group for example > > 'installers' to run synaptic by editing sudo's config like so: > > > > %installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic > > > > This Policykit stuff just seems like completely unneeded and > > unstable cruft like systemd or pulseaudio. > > > > Thank you for clarifying though. I'm going to see about getting it > > working on Gentoo since I have more experience with ebuilds than I > > do with Debian packaging currently. > > > > > > > > Just found a drop-in replacement for gksudo. It's called lxqt-sudo. > https://github.com/lxqt/lxqt-sudo > It works pretty well. Will it work even if I'm not using lxqt? Does it stand alone? SteveT Steve Litt February 2020 featured book: Thriving in Tough Times http://www.troubleshooters.com/thrive ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On 2/19/20 10:23 AM, tom wrote: On Wed, 19 Feb 2020 00:35:26 -0800 tom wrote: Deprecated gksudo? Well thats pretty dumb. Any particular reason Devuan doesn't just fish around for the old gksudo git repo and continue that instead of dealing with this policykit mess of complexity? You can allow users in your a group for example 'installers' to run synaptic by editing sudo's config like so: %installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic This Policykit stuff just seems like completely unneeded and unstable cruft like systemd or pulseaudio. Thank you for clarifying though. I'm going to see about getting it working on Gentoo since I have more experience with ebuilds than I do with Debian packaging currently. Just found a drop-in replacement for gksudo. It's called lxqt-sudo. https://github.com/lxqt/lxqt-sudo It works pretty well. Hi, this one is nice! but it solves only partially the problem of eventually removing policykit because most packages like for example synaptic or network-manager have a dependency on polkit or on libpolkit-gobject-1. Replacing pkexec could be easily done with a wrapper calling lxqt-sudo, but I cannot imagine what debian packaging voodoo would be needed to remove polkit, but for sure a lot of work. It is hard to weed out over-complexity once it slipped in. Ciao, Tito ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed? dropin replacement
On Wed, 19 Feb 2020 00:35:26 -0800 tom wrote: > Deprecated gksudo? Well thats pretty dumb. Any particular reason > Devuan doesn't just fish around for the old gksudo git repo and > continue that instead of dealing with this policykit mess of > complexity? You can allow users in your a group for example > 'installers' to run synaptic by editing sudo's config like so: > > %installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic > > This Policykit stuff just seems like completely unneeded and unstable > cruft like systemd or pulseaudio. > > Thank you for clarifying though. I'm going to see about getting it > working on Gentoo since I have more experience with ebuilds than I do > with Debian packaging currently. > > > Just found a drop-in replacement for gksudo. It's called lxqt-sudo. https://github.com/lxqt/lxqt-sudo It works pretty well. -- _ / We're Knights of the Round Table We \ | dance whene'er we're able We do | | routines and chorus scenes We're| | knights of the Round Table With | | footwork impeccable Our shows are | | formidable We dine well here in Camelot | | But many times We eat ham and jam and | | Spam a lot. We're given rhymes | | | | That are quite unsingable In war we're | | tough and able, We're opera mad in | | Camelot Quite indefatigable We sing | | from the diaphragm a lot. Between our | | quests We sequin vests And impersonate | | Clark Gable It's a busy life in | | Camelot. I have to push the pram a lot. | | | \ -- Monty Python / - \ \ /\ /\ //\\_//\\ \_ _// / / * * \/^^^] \_\O/_/[ ] / \_[ / \ \_ / / [ [ / \/ _/ _[ [ \ /_/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng